Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Locate Array of Bytes within a process.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
larcerkev
Newbie cheater
Reputation: 0

Joined: 17 Aug 2012
Posts: 17
PostPosted: Sat Aug 25, 2012 11:59 pm    Post subject: Locate Array of Bytes within a process. Reply with quote
I'm trying to do this from an external .exe file, I have googled around and saw something, but I couldn't get it to work even after fiddling... Anyone have an idea how to do this?

Edit: I'm doing it in C++.

Last edited by larcerkev on Sun Aug 26, 2012 10:44 am; edited 2 times in total
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
PostPosted: Sun Aug 26, 2012 2:36 am    Post subject: Reply with quote
What language are you coding in? Not much anyone can help you with without that.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
larcerkev
Newbie cheater
Reputation: 0

Joined: 17 Aug 2012
Posts: 17
PostPosted: Sun Aug 26, 2012 10:44 am    Post subject: Reply with quote
Oh crap, I forgot to mention I'm doing this in C++. I plan to do more fiddling around tonight after my two jobs, but i doubt I'll get something working.
Back to top
View user's profile Send private message
n0 m3rcY
Cheater
Reputation: 0

Joined: 18 Jun 2012
Posts: 42
PostPosted: Mon Aug 27, 2012 12:28 am    Post subject: Reply with quote
Just do something like this (not actually tested code...)
Code:

MODULEENTRY32 GetME32(const wchar_t *ProcessName)
{
   HANDLE hSnap;
   PROCESSENTRY32 pe = {0};
   MODULEENTRY32 me = {0};
   HANDLE hMod;

    hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if (hSnap==INVALID_HANDLE_VALUE)
         return me;

    pe.dwSize=sizeof(pe);
    if (Process32First(hSnap, &pe))
      do {
         hMod=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE|TH32CS_SNAPMODULE, pe.th32ProcessID);

         me.dwSize = sizeof(me);
         if (Module32First(hMod, &me))
            do{
               if(_wcsicmp(me.szModule, ProcessName) == 0)
               {
                  CloseHandle(hMod);
                  CloseHandle(hSnap);
                  return me;
               }
            } while (Module32Next(hMod, &me));
        } while (Process32Next(hSnap,&pe));
   if(hSnap != INVALID_HANDLE_VALUE)
      CloseHandle(hSnap);
   if(hMod != INVALID_HANDLE_VALUE)
      CloseHandle(hMod);
   ZeroMemory(&me, sizeof(MODULEENTRY32));
   return me;
}

DWORD_PTR Compare(byte *bpArray1, byte *bpArray2, DWORD dwSize)
{
   int k;
   for(k = 0; k < 1000; k++)
   {
      if(memcmp((void*)bpArray1[k], (void*)bpArray2, dwSize))   // if they don't match (memcmp returns 0 if true)
         return false;
   }
   return k;
}

DWORD_PTR FindBytes(HANDLE hProcess, const wchar_t *ProcName, byte* bpAOB, DWORD dwSize)
{
   byte bpBuffer[1000];
   MODULEENTRY32 mE = GetME32(ProcName);
   bool bFound = false;
   int i = 0;
   DWORD_PTR offset = 0;
   while(!bFound)
   {
      ReadProcessMemory(hProcess, mE.modBaseAddr + i, bpBuffer, 1000, NULL);
      
      offset = Compare(bpBuffer, bpAOB, dwSize);
      if(offset != 0)
      {
         offset += (DWORD_PTR)mE.modBaseAddr + i;
         bFound = true;
      }
      i += 1000;

      if((DWORD_PTR)mE.modBaseAddr + i > (DWORD_PTR)mE.modBaseSize)
         return 0;
   }
   return offset;
}

Back to top
View user's profile Send private message
larcerkev
Newbie cheater
Reputation: 0

Joined: 17 Aug 2012
Posts: 17
PostPosted: Mon Aug 27, 2012 9:22 pm    Post subject: Reply with quote
Thanks for the reply, I kind of get what you're trying to do there, I believe I found a method that may work well by reading the memory until I find the start of the program, then I would read out 2000 bytes at a time converting them into a hex string and searching that string for the array I wanted. Increasing by 1500 bytes at a time to ensure I don't miss the array. (1500 could probably be 1950.)
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
PostPosted: Tue Aug 28, 2012 5:53 am    Post subject: Reply with quote
larcerkev wrote:
Thanks for the reply, I kind of get what you're trying to do there, I believe I found a method that may work well by reading the memory until I find the start of the program, then I would read out 2000 bytes at a time converting them into a hex string and searching that string for the array I wanted. Increasing by 1500 bytes at a time to ensure I don't miss the array. (1500 could probably be 1950.)


Something like this would be extremely inefficient. Doing all the extra steps to convert the data to a string and scanning that as well. You are better off sticking to comparing against the bytes as shown above. Also, you should dump based on the memory pages (VirtualQueryEx to get that info) rather then a smaller size to reduce to the number of API calls you are doing.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites